Debian Bug report logs -
#818497
busybox: CVE-2016-2148: heap overflow in OPTION_6RD parsing
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 17 Mar 2016 16:27:01 UTC
Severity: normal
Tags: fixed-upstream, security, upstream
Found in version busybox/1:1.20.0-7
Fixed in version busybox/1:1.27.2-1
Done: Chris Boot <bootc@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#818497; Package src:busybox.
(Thu, 17 Mar 2016 16:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Install System Team <debian-boot@lists.debian.org>.
(Thu, 17 Mar 2016 16:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: busybox
Version: 1:1.20.0-7
Severity: normal
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for busybox, filling for
tracking purpose.
CVE-2016-2148[0]:
heap overflow in OPTION_6RD parsing
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-2148
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Chris Boot <bootc@debian.org>:
You have taken responsibility.
(Sun, 17 Sep 2017 17:21:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 17 Sep 2017 17:21:19 GMT) (full text, mbox, link).
Message #10 received at 818497-close@bugs.debian.org (full text, mbox, reply):
Source: busybox
Source-Version: 1:1.27.2-1
We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 818497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Boot <bootc@debian.org> (supplier of updated busybox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Sep 2017 17:59:31 +0100
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source
Version: 1:1.27.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Chris Boot <bootc@debian.org>
Description:
busybox - Tiny utilities for small and embedded systems
busybox-static - Standalone rescue shell with tons of builtin utilities
busybox-syslogd - Provides syslogd and klogd using busybox
busybox-udeb - Tiny utilities for the debian-installer (udeb)
udhcpc - Provides the busybox DHCP client implementation
udhcpd - Provides the busybox DHCP server implementation
Closes: 794526 802702 803097 812074 818497 818499 873472
Changes:
busybox (1:1.27.2-1) unstable; urgency=medium
.
* New upstream release. This addresses:
- Segmentation fault when creating compressed tar files. (Closes: #812074)
- Pointer misuse unziping files. (Closes: #803097)
- Buffer overflow in the DHCP client [CVE-2016-2148]. (Closes: #818497)
- Integer overflow in the DHCP client [CVE-2016-2147]. (Closes: #818499)
* Postpone creation of symlinks with "suspicious" targets [CVE-2011-5325].
(Closes: #802702)
* Re-enable the test suite during build. (Closes: #794526)
* udhcpc: correct a typo in /etc/udhcpc/default.script. (Closes: #873472)
* Debian packaging changes:
- Run wrap-and-sort -st.
- Update debian/control:
- Replace Uploaders with myself and Christoph Biedl. Many thanks to
Bastian Blank and Michael Tokarev for having maintained busybox for
many years prior.
- Remove Build-Depends to avoid ancient broken libc-dev-bin.
- Bump Build-Depends on debhelper to >= 10.
- Rewrite debian/rules:
- Simplify and use the dh sequencer.
- Remove test for ancient broken libc6 versions with static binaries.
- Strip -O2 from CFLAGS, falling back to -Os from the busybox
configuration.
- Abort the build if 'make oldconfig' changes the configuration at all.
- Update busybox build configuration files for the new upstream release.
- The udeb configuration mostly hasn't changed, but enable fgrep,
blkdiscard, bzcat and lsscsi.
- The deb and static configurations have had upstream recommendations
enabled for new options.
- Switch to debhelper compatibility level 10.
- Add Depends on lsb-base to busybox-syslogd and udhcpd.
- Update debian/.gitignore.
- Update Standards-Version to 4.0.1:
- Disable tests that require networking.
Checksums-Sha1:
4c7441a1204b61438f0eb2f272698fe372eede71 2359 busybox_1.27.2-1.dsc
11669e223cc38de646ce26080e91ca29b8d42ad9 2216527 busybox_1.27.2.orig.tar.bz2
25b8ec9d11fe9fcb8e2d79621a32b760c7d3c10f 49272 busybox_1.27.2-1.debian.tar.xz
54cf758c6edeaf2bda34d6b8e08a44ba062b68cf 7236 busybox_1.27.2-1_amd64.buildinfo
Checksums-Sha256:
67947957df59b7e145af1453c1a8cd28c3cd39d9d13cf1f2e7a12b8d073b4e81 2359 busybox_1.27.2-1.dsc
9d4be516b61e6480f156b11eb42577a13529f75d3383850bb75c50c285de63df 2216527 busybox_1.27.2.orig.tar.bz2
f2ed3f2e3dc63487efec85d65167e6a4fb31f6b300f1a45fd284de0d10405b8c 49272 busybox_1.27.2-1.debian.tar.xz
38714b5eb9f437dd78eca0bc12379a651c71ddbf2c99eba3e40289d651244b77 7236 busybox_1.27.2-1_amd64.buildinfo
Files:
300538e8de0e12d9bd8939b3330357c2 2359 utils optional busybox_1.27.2-1.dsc
476186f4bab81781dab2369bfd42734e 2216527 utils optional busybox_1.27.2.orig.tar.bz2
4176babb785eb5f2b3289c24343ef7e1 49272 utils optional busybox_1.27.2-1.debian.tar.xz
87423bdbf689420d433ee08c59ccb3e2 7236 utils optional busybox_1.27.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE2oqQ9X/7HWR+QDTaQRpzPmfWT/4FAlm+rDdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldERB
OEE5MEY1N0ZGQjFENjQ3RTQwMzREQTQxMUE3MzNFNjdENjRGRkUACgkQQRpzPmfW
T/5ExRAA6rbhIacnoEgLN3g5YImMrlqz+Cyvc2+Y6Rw/bkKlXDQ62QEDuyN7ylPS
O51RquWR1nTcK1YLqYiFaqYs/XkaNvhCpuuKPwEbwosaUhg52OQFT+U18B3dfaHw
/xVOekqYrEEJGC4X1lqE3xv3KQH04UZcrhPBu2L2FnGnx/sTIuWcqJlWS3GTRDCZ
9qpSvYWzuvj5yM6SmRbqx+lWD5QI5cjvxQYcQpbIuDUaqF8owHP+wHGxcrrSok0P
1kCUUMvdRUJ4BzRiVhjE1G1j1zDvRqBDywAeAVq4Ch0weHE0nLqz5+JXAtEktyVA
bYVnN6H2mb2P+JzzeXlK66eFu1CYKtPuq5v/sTCNadXJ84w5NyBry/fqXJjBqqkL
gvN7/WpZ8bX8BRh/YE3fJ31nSpvLIeY5wqBuSs0Pfy+Ob/K3Kk1uJVMc0JB8FCTK
hA0JGpU7PULSqVIEWFN1SvOUQsczLQCqi9bgHLOacWV2BfCdZpvUEl/kJJTU9AFt
sAu0EEdITZu8m8DRru9GM1VFARsViDwkfBSJp/D/kvHThC7VwPjBOrlDrn6/Vw/9
NCcYp43mmKO4WA90tZnvo0gmu5L3CikFfAYJalkC2D6yIQ11XwWe4FI4qrnxluv8
AGZ1M6CfSjGeC2REqWVu3VqjnRk8/nbC6wqkiwac1JBYjn1CyOY=
=AQ2U
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 21 Oct 2017 07:34:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:51:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon